Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.
We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.
But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.
So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP 192.168.20.15(lets say he is jack.ourorganization.com) is defined in our DNS, we should allow access... where as if IP 192.168.20.16(this does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.
I hope my friends here will be able to guide me. Thanks in advance.
What you really need to be doing is monitoring this on your subnets. If not at the managed switch level, look into the arpwatch program. It is extremely handy for this purpose.
By default, OpenSSH enables a feature (the sshd_config directive is UseDNS) that will warn you when a forward and reverse DNS lookup does not match for a client. If you've not created a DNS rec for a particular IP, this should fire off a warning to your logs, and you can deal with it at that time.
Additionally, tcp wrappers (controlled using /etc/hosts.allow) provides a PARANOID wildcard that can allow you to act on sshd clients whose DNS/rDNS recs don't match up.
Still, if someone grabs an IP address that is registered with your DNS, this doesn't help you. Again, the answer is to start monitoring your subnets and more forcefully addressing the root cause of the problem.
I don't know if you will, if they are on the one network. If anyone is half determined, he can surely get around what you can do. dns resolves do dotted decimal, that's why blocking dotted decimal is a tricky approach. You could lose them for a while going to ipv6 in octal :-D. Can you split the thing up into departments, subnets, or levels and control access that way?